US12567953B2ActiveUtilityA1

Inline security key exchange

66
Assignee: JUNIPER NETWORKS INCPriority: Oct 26, 2021Filed: Jun 17, 2024Granted: Mar 3, 2026
Est. expiryOct 26, 2041(~15.3 yrs left)· nominal 20-yr term from priority
H04L 63/0428H04L 9/0891H04L 9/0827H04L 9/088H04W 12/033H04L 63/0435H04L 63/06H04L 63/08H04L 9/0822H04L 9/14H04L 9/0825
66
PatentIndex Score
0
Cited by
28
References
19
Claims

Abstract

Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . Non-transitory computer readable storage media storing instructions, which, when executed cause one or more processors of a network device to:
 obtain a first payload key, the first payload key being associated with a first session;   obtain a path key, wherein the path key is associated with a path between the network device and a neighboring network device;   encrypt a first packet payload of a first packet using the first payload key;   insert the first payload key into first metadata for the first packet;   encrypt the first metadata using the path key, the first metadata including the first payload key, to generate encrypted first metadata;   send the first packet including the encrypted first metadata and the first packet payload to the neighboring network device;   determine that a second packet payload of a second packet is associated with the first session;   based on the second packet payload being associated with the first session, encrypt the second packet payload using the first payload key; and   send the second packet including second metadata to the neighboring network device, the second metadata not including the first payload key.   
     
     
         2 . The non-transitory computer readable storage media of  claim 1 , wherein the instructions cause the one or more processors to obtain the first payload key by generating the first payload key or by receiving the first payload key. 
     
     
         3 . The non-transitory computer readable storage media of  claim 1 , wherein the instructions further cause the one or more processors to:
 determine to update the first payload key;   obtain a second payload key;   encrypt a third packet payload of a third packet using the second payload key;   insert the second payload key into third metadata of the third packet;   encrypt the third metadata using the path key; and   send the third packet to the neighboring network device.   
     
     
         4 . The non-transitory computer readable storage media of  claim 1 , wherein the instructions further cause the one or more processors to:
 obtain a second payload key associated with a second session;   encrypt a third packet payload of a third packet associated with the second session using the second payload key;   insert the second payload key into third metadata of the third packet;   encrypt the third metadata using the path key; and   send the third packet to the neighboring network device.   
     
     
         5 . The non-transitory computer readable storage media of  claim 1 , wherein the first payload key is further associated with a first type of service and wherein the instructions further cause the one or more processors to:
 obtain a second payload key associated with a second type of service;   encrypt a third packet payload of a third packet associated with the second type of service using the second payload key;   insert the second payload key into third metadata of the third packet;   encrypt the third metadata using the path key; and   send the third packet to the neighboring network device.   
     
     
         6 . The non-transitory computer readable storage media of  claim 1 , wherein the network device comprises a session-based router. 
     
     
         7 . The non-transitory computer readable storage media of  claim 1 , wherein the neighboring network device comprises a session-based router. 
     
     
         8 . Non-transitory computer readable storage media storing instructions, which, when executed cause one or more processors of a network device to:
 obtain a path key;   receive a first packet from a neighboring network device;   decrypt first metadata of the first packet using the path key;   obtain a first payload key from the first metadata of the first packet, the first payload key being associated with a first session;   decrypt a first packet payload of the first packet using the first payload key;   receive a second packet including a second packet payload and second metadata from the neighboring network device, the second metadata not including the first payload key;   determine that the second packet payload is associated with the first session based on the second metadata; and   decrypt the second packet payload of the second packet using the first payload key.   
     
     
         9 . The non-transitory computer readable storage media of  claim 8 , wherein the instructions further cause the one or more processors to:
 receive a third packet from the neighboring network device;   decrypt third metadata of the third packet using the path key;   obtain a second payload key from the third metadata of the third packet; and   decrypt a third packet payload of the third packet using the second payload key.   
     
     
         10 . The non-transitory computer readable storage media of  claim 8 , wherein the instructions further cause the one or more processors to:
 receive a third packet from the neighboring network device, the third packet being associated with a second session;   decrypt third metadata of the third packet using the path key;   obtain a second payload key from the third metadata of the third packet, the second payload key being associated with the second session; and   decrypt a third packet payload of the third packet using the second payload key.   
     
     
         11 . The non-transitory computer readable storage media of  claim 8 , wherein the first payload key is further associated with a first type of service and wherein the instructions further cause the one or more processors to:
 receive a third packet from the neighboring network device, the third packet being associated with a second type of service;   decrypt third metadata of the third packet using the path key;   obtain a second payload key from the third metadata of the third packet, the second payload key being associated with the second type of service; and   decrypt a third packet payload of the third packet using the second payload key.   
     
     
         12 . The non-transitory computer readable storage media of  claim 8 , wherein the network device comprises a session-based router. 
     
     
         13 . The non-transitory computer readable storage media of  claim 8 , wherein the neighboring network device comprises a session-based router. 
     
     
         14 . A method comprising:
 obtaining, by one or more processors of an egress network device, a path key;   receiving, by the one or more processors of the egress network device, a first packet from a neighboring network device;   decrypting, by the one or more processors of the egress network device, first metadata of the first packet using the path key;   obtaining, by the one or more processors of the egress network device, a first payload key from the first metadata of the first packet, the first payload key being associated with a first session;   decrypting, by the one or more processors of the egress network device, a first packet payload of the first packet using the first payload key;   receiving, by the one or more processors of the egress network device, a second packet including a second packet payload and second metadata from the neighboring network device, the second metadata not including the first payload key;   determining, by the one or more processors of the egress network device, that the second packet payload is associated with the first session based on the second metadata; and   decrypting, by the one or more processors of the egress network device, the second packet payload of the second packet using the first payload key.   
     
     
         15 . The method of  claim 14 , further comprising:
 receiving, by the one or more processors of the egress network device, a third packet from the neighboring network device;   decrypting, by the one or more processors of the egress network device, third metadata of the third packet using the path key;   obtaining, by the one or more processors of the egress network device, a second payload key from the third metadata of the third packet; and   decrypting, by the one or more processors of the egress network device, a third packet payload of the third packet using the second payload key.   
     
     
         16 . The method of  claim 14 , further comprising:
 receiving, by the one or more processors of the egress network device, a third packet from the neighboring network device, the third packet being associated with a second session;   decrypting, by the one or more processors of the egress network device, third metadata of the third packet using the path key;   obtaining, by the one or more processors of the egress network device, a second payload key from the third metadata of the third packet, the second payload key being associated with the second session; and   decrypting, by the one or more processors of the egress network device, a third packet payload of the third packet using the second payload key.   
     
     
         17 . The method of  claim 14 , wherein the first payload key is further associated with a first type of service and wherein the method further comprises:
 receiving, by the one or more processors of the egress network device, a third packet from the neighboring network device, the third packet being associated with a second type of service;   decrypting, by the one or more processors of the egress network device, third metadata of the third packet using the path key;   obtaining, by the one or more processors of the egress network device, a second payload key from the third metadata of the third packet, the second payload key being associated with the second type of service; and   decrypting, by the one or more processors of the egress network device, a third packet payload of the third packet using the second payload key.   
     
     
         18 . The method of  claim 14 , wherein the egress network device comprises a session-based router. 
     
     
         19 . The method of  claim 14 , wherein the neighboring network device comprises a session-based router.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.